Changing the Default SSL Certificate on Watchguard Firewalls.

If you have a requirement to perform PCI scanning against your firewall and are using the Watchguard SSL VPN client for remote connectivity you will fail PCI tests or other certifications due to the default certificate on the firewall not being produced from a trusted authority. There is no way to get around this apart from disabling SSL VPN or replacing the default certificate with a purchased certificate from a trusted vendor.

As the SLL VPN is arguably the best method of remote connectivity to a Watchguard firewall there will be many people affected by this problem when they first look at PCI scanning.

This guide serves to advise on the steps required to purchase and install a certificate that will allow the scan to complete with a pass result.

To install a certificate of any type on a Watchguard firewall you must first generate a certificate request in the certificate manger.

To find the certificate manager, open the firebox system manager and look under the view menu.

When you click on the certificate manager you should see a window like this…

You will see the create request button located at the bottom of this window.

Follow the wizard and when you get to the certificate information page there are 3 required fields that you must fill out in order to proceed. You cannot make up information for this section as the certificate authority will use the information filled out in these boxes to ensure you are the correct owner of the domain in question. This is part of what makes a certificate valid so end users can be re-assured they are accessing legitimate resources that are owned and managed by the correct people.

There are several types of certificate that can be used on a Watchguard firewall but as this guide is to resolve the issue with SSL-VPN we are going to select the bottom option for Webserver, Ipsec and other.

We will then fill in the information on the next screen.

Under Name (CN) you need to fill in your public domain name, so if I was purchase a certificate for www.precursorsecurity.com I would enter precursorsecurity.com

For Company Came (O) I would enter Precursor Security

And for Country (C) I would enter UK

The next screen wants the IP address the service will be listening on so this will be the public address on your firewall you are using for SSL VPN connections.

The user domain name needs to be a valid email address that uses the domain name you specified on the previous screen. If I use Precursor as an example again, I could use [email protected] as my user domain name.

The DNS name is going to be something that can resolve to the IP address you are using for the service. I would recommend registering a sub domain entry with whoever hosts your DNS, in this instance I have used the sub domain SSL.precursorsecurity.com and made sure that resolves to the IP being used for the SSL service.

It helps to have this DNS entry in place before this process is complete as the certificate authority can then resolve the domain and see that the information is valid but most will allow you to go through the process without the DNS pointer in place and offer a secondary method to validate the domain ownership.

The next screen has some encryption strength settings and allows you to pick the type of encryption used to generate the certificate.

You can leave the defaults here as they will be fine for most installations. If you have specific requirements for the settings on this screen, then feel free to configure as you require.

Once you hit next on this screen you will be asked for the WRITE password for your firewall, once this is confirmed it will generate the request.

You will see something like this…

You need to select the content in this window and save it to a text file as this will be required when we purchase the certificate.

You should also now see an entry in the certificate manager for a new cert with your details in and its status set to “Pending”.

You can now go to purchase your certificate from a trusted authority, there are several vendors available and you may have a preferred vendor you wish to use. The process shouldn’t differ to much from vendor to vendor but each may have their own method of verifying the domain ownership and there could be significant differences between their interface for purchase a certificate.

Whatever vendor you use, once you select the option to purchase a certificate and make the relevant payment they should pop up a box asking you to paste in your request. This is the text the firewall generated when you went through the request process, past that into their interface and follow whatever instructions they give you to validate the domain and get to the point where a certificate is available for download.

once this process is complete you should have a downloaded file containing the new certificate.

Usually they will give you the option to download several versions of your certificate intended for different target server types, if the option is available try downloading for something linux/unix based such as Apache or Tomcat.

The download is usually in the format of an archive file with some different files inside. Now if you read up on certificate usage you will see there are different file types for certificates such as PEM files or CRT files. This can be important when trying to get certificates on to specific targets but for the WatchGuard import we are actually just going to use the raw data in the cert files so don’t worry about the file extension that much even though the import screen on the firewall will say it wants PEM files specifically.

If you open the archive you have downloaded, depending on the type of server you said the certificate was for you will have either 2 or 3 files. If you selected Apache then you will probably have 2 files, one of these is your certificate and one is the chain of trust.

Putting this in simple terms the certificate is the body of text you will find inside these files and it looks a lot like the request data you generated earlier. It will be a lot of random characters that are held between a “Start” and “End” statement.

Opening the first file in notepad I can see the following information…

-----BEGIN CERTIFICATE-----

MIIFVDCCBDygAwIBAgIJAL/bNTTAByOXMA0GCSqGSIb3DQEBCwUAMIG0MQswCQYD

VQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEa

MBgGA1UEChMRR29EYWRkeS5jb20sIEluYy4xLTArBgNVBAsTJGh0dHA6Ly9jZXJ0

cy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzEzMDEGA1UEAxMqR28gRGFkZHkgU2Vj

dXJlIENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTE2MTAxMjE0MjYzOFoX

Niys1XZkQRmWtgQHj6iZ3gWhkJjJvAmT

-----END CERTIFICATE-----

This means this is the certificate itself so we can’t use this yet as we need to import the chain of trust so the firewall is aware of the certificate authority and then it will let us import the certificate information. If you try to import this at this time you will get an unable to import error off the firewall.

If we open the other file in notepad we will see a similar type of data but it should look like 3 certificates in a row.

This is the chain of trust and it needs to be imported in a specific order in order to get the firewall to accept it, if you try to import this file directly or paste the information from it in a single batch you will also get a failed to import error.

The trick with this part of the import is to import the chain in the order the firewall is expecting..

If we go back to our certificate manager on the firewall software and this time hit the import button you should see a screen like this…

Select the ipsec, web server, other option at the bottom and then you are going to paste the chain information into the bottom box.

What is important here is the order the chain goes into the firewall.

If you look at the file with the chain in it (the one that looks like it has three certificates in a row) then you are going to start with the certificate at the bottom of that file and work backwards. So selecting from where it says Begin Certificate to where it says End of certificate you will paste the bottom section into the above box and hit import (this includes the phrases begin cert and end cert).

Repeat this for the centre section of the chain file.

And finally do this for the top section of the chain file.

This will add the certificate authority to the firewall as a trusted authority and allow us to import the actual certificate.

Once the chain of trust is imported you can import the text from the other file and your entry in the certificate manager should finally change from pending to signed.

The last change you need to make is to make your new certificate the default web server certificate, this can be found in the policy manager by going to “setup”, then “authentication” and the to “web server certificate”. You should see a box like this,

Select “Third Party Certificate” as above and select your new certificate from the list. Once this change is saved to the firewall you should now have a trusted certificate in place for https and SSL resources which will resolve the PCI fail you were getting with the default certificate.